The Cyber Job Force Gap

[Gitcyber]

According to Cyberseek, there's around 700k+ unfilled cybersecurity job in the USA alone. I'm personally still in college and I've never attempted to apply for a job in the cyber force (not yet atleast) but why are there so many unfilled jobs here. Is it because of companies requiring too much from candidates or is there a genuine shortage for cyber professionals across the board.

Edited November 11, 2022 by Gitcyber

[ChickenKing]

It's actually quite simple, so much so that it's frustrating. The vast vast vast majority of these unfilled jobs are for mid-senior level people. This creates a couple of problems.

1: Companies are not willing to train people to fill these roles down the line. They want experienced professionals to be able to slot in to the role and hit the ground running.

2: Crappy bootcamps and courses tout this fact, and promise people new to IT that they can get a banger job just by taking the course.

3: There is a critical lack of mid-senior level cybersecurity professionals as a result.

 

There are very few true entry level cyber jobs. This gap only exists because companies are either too lazy, too cheap, or too underfunded to be able to bring in a newer person and train them. This strategy is ultimately what companies will have to start doing if they want to close this gap. 

I'm a great example of this, actually. I was hired as an analyst doing just mainly alert triage. Less than a year later I got promoted to an engineer, heading our detection efforts and playing a large role in our IDR process. I was afforded the opportunity to learn, ask questions, and grow. Now I'm able to fill that senior level role. Companies need to start doing this ASAP if they ever want to fill these roles. If I have 4 years experience and am a kickass security engineer, I pretty much have my personal pick of wherever I want to work. That's why those jobs don't get filled. The people who are qualified can easily find much better jobs. 

[MalwareTech]

There are definitely problems with company's hiring processes, but I also think there are simply more jobs than people looking to fill them right now. 

[DrDisexon]

I think there is a big problem with the companies especially with cybersecurity field. They don't wanted to spend too much money on training employees but they end up spending money  outsourcing the recruitment. Companies like Big 4(all most all big companies) do this I don't know whether legally or illegally, they outsource third parties to bring the people to do the work. Now what this outsource company will do is grab some freshers and put them in the company with low price. But the problem is when you see the company career site, you'll see that they want people with experience more than 10 years, 15 years which is absolute rubbish. And there is a problem with some interviewer as well who go by some kind of "Interview Playbook" which they even don't know the answers.

The only benefit I see is the third party recruitment companies making money out of cybersecurity from the companies as well as from the guy who wanted to take the job.

Now you might be wandering what about the guy has very good or medium level of skills ? Well to be frank doesn't matter "Your Resume/CV Won't Get Selected To Showcase Your Skill"

I worked with different companies from DUBAI, Australia, India, Oman. So If it is happening in the mentioned countries that means it is happening in the whole world.

 

[ChickenKing]

1 hour ago, MalwareTech said:

There are definitely problems with company's hiring processes, but I also think there are simply more jobs than people looking to fill them right now. 

I think the biggest issue is lack of training. Whether it's inability, funding, resources, desire, doesn't really matter. Security is so wide and so broad it's very rare to find people who can hit the ground running. Plenty of eager and promising people are barred from the field because of this, imo. 

[DrDisexon]

1 minute ago, ChickenKing said:

I think the biggest issue is lack of training. Whether it's inability, funding, resources, desire, doesn't really matter. Security is so wide and so broad it's very rare to find people who can hit the ground running. Plenty of eager and promising people are barred from the field because of this, imo. 

Imagine there are companies where the head of the employees don't know what they are doing, so the question is how can they train. I have seen employees where they run only scan and prepare the report from Big 4. I was blown by that what are this guys even doing ?

I agree Training is important.

I have one thing always in my mind why this companies ask for years of experience. When I can be extremely good with what I touch because I know that security folks are the very quick learner. Experience matters but why choose only Years of Experience ? I have seen people only writing mail and playing office politics.🤣 have 10 years of experience.

[doctor_tran]

A lot of good valid points raised. I've been building our security team from 30 people up to almost 2,000 the last 7 years and here are my observations on market behaviors (I can't influence) and manager behaviors (I can influence):

- Managers tend to be technical resources who then progress to being a manager and all of a sudden need to build or manage a team around them. They are not always equipped to be people managers and therefore don't do the right things around hiring or growing people. They are too picky: too focused on technical skills versus potential/ability to learn. Time needs to be spent coaching and developing managers to be strong people leaders. Manager's primary job is to manage, not be a SME on something. 

- Organizations don't know how to treat security professionals. Are they just another tech person? Are they something else? How should they compare to other roles that manage risk (such as legal or HR department), what are valid security credentials? (Lawyers have a JD, accountants have a CPA, etc)

- Organizations and managers are unable to articulate what the objectives of security are. "Not being hacked" is not very specific or a valid objective. If one can't even describe their objective, how can they hope to determine what they need to succeed? 

- Security doesn't always a straight forward training curriculum so some organizations struggle to grow junior people (if they even try). There are so many areas of security and possible paths. I think people need to recognize that and take a coaching approach instead of sending people to training (goes back to managers not knowing how to manage). 

- The definition of a security role is very broad and there are many areas of security. A lot of people only focus on the very technical roles and have romanticized the idea of a career in cyber as a pen tester or red team. Because this field is so broad, candidates not even looking for a security role should consider the field and managers needs to look at non-typical background. Some of my best security people have never had a security job before working for us. 

I'm sure there are a few more points I'm not coming up with due to jet lag 😴

 

[bear]

Are those problems mentioned above specifically U.S problems? Or is it observed pretty much worldwide in cyber jobs?

[AdmFord]

On 11/11/2022 at 1:38 PM, doctor_tran said:

- Managers tend to be technical resources who then progress to being a manager and all of a sudden need to build or manage a team around them. They are not always equipped to be people managers and therefore don't do the right things around hiring or growing people. They are too picky: too focused on technical skills versus potential/ability to learn. Time needs to be spent coaching and developing managers to be strong people leaders. Manager's primary job is to manage, not be a SME on something. 

Moving technical people to management doesn't always work. Management while being technical is extremely useful, you have to be able to translate that technical aspect to something that non technical business majors can understand. Also, there's the risk of using BS metrics to justify a budget (such as number of tickets generated vs number of staff). The main work of a manager is to fight for their team and get the best results for the company. So, you have to find ways to justify for hiring either experienced people, or justifying a higher training budget. Add in that not all organizations have project managers assigned to teams or available, so that's another skill a manager would need to know.

Having an MBA can seriously help in this aspect, and it's a specialization that's a bit under-regarded by people in the industry, as too many people see that being in a non-technical role as something negative.

 

Quote

- Organizations don't know how to treat security professionals. Are they just another tech person? Are they something else? How should they compare to other roles that manage risk (such as legal or HR department), what are valid security credentials? (Lawyers have a JD, accountants have a CPA, etc)

Working in medicine, I'd say that a good equivalent is to treat security people similar to doctors. Most state medical board certification exams are similar to security certifications. Has to be renewed regularly. Same thing with conferences IMHO. Sure doctors get sent to some questionable conferences in the Caribbean or other places by pharmaceutical companies. But doesn't something similar happen with infosec? We've got the major conferences out there, then the ones primarily organized so that vendor's can give their pitches. While outside of SANS papers, and CISA alert, there's limited literature compared to some of the medical journals out there.

Personally, new grads and people that come out of bootcamps can consider their first 3-5 years in the industry as being internists, they're trying to get a view of everything and learn what they can on the job. After that you can be considered a GP, General Practitioner, and the next couple of years you start specializing into doing stuff you actually liked, based on your previous experiences. After that, it's specialization all the way and just years of experience tend to matter.

 

Quote

- Organizations and managers are unable to articulate what the objectives of security are. "Not being hacked" is not very specific or a valid objective. If one can't even describe their objective, how can they hope to determine what they need to succeed?

I found that the The Phoenix project states that succinctly regarding types of work.

1. Business Projects
2. Team/division projects
3. Operational Work
4. Unplanned Work/Incidents

Projects are designed to improve either the economics of a company, introduce a product, or improve the standing of the company in a specific field. The latter, one can say that the objective of a security team is "To continuously implement, and improve upon IT solutions and procedures, to improve the security posture of the organization". That is, the projects that the team is doing to strengthen current measures, implement new ones are the key metric. NOT TICKET NUMBER.

The last one in the list is a bit telling, as it's generally considered by DevOps standards as something to avoid all together, but that's impossible in infosec. if you are only doing incidents, how much of your team's energy is actually dedicated to improving things? Minimal. The idea is, is doing tickets just the end all for your team? if so, what's the difference between your team and a SOC? None. Can you outsource the L1/L2 tickets to a SOC, deal with the higher risk ones, and leave time to actually correctly implement tools or consolidate what you have?

The objective should be to continuously implement new projects that can improve the security posture of a company. The successful completion of said projects is the metric. Because you can't measure "how many times you haven't been hacked". But you can measure progress in implementing projects.

Same with ticket closures and SLAs. If your metric is that, then you're leading a SOC rather than a security team.

 

Quote

- Security doesn't always a straight forward training curriculum so some organizations struggle to grow junior people (if they even try). There are so many areas of security and possible paths. I think people need to recognize that and take a coaching approach instead of sending people to training (goes back to managers not knowing how to manage).

There are a few graphics showing various certifications and their levels. Growth of junior people is hard, do you budget a large amount for training, and risk people leaving after being trained, or do you hire experienced people (and bust your hiring budget)? It's a problem of balancing. If you train up your junior level people and they specialize, you're also going to have to pay them more because of that. If you hire on senior level people who are already specialized, you're going to be paying more to get them, but they can mentor junior people to do part of their work in a couple of months.

But hiring generalists to save money, not providing a good or adequate training budget, or because they're not specialized, going under market rates for pay, you'll get one of two solutions.

1. They'll stay because they're comfortable and don't care about advancing or improving their knowledge (complacent employees)
2. They'll start learning and doing certs on their own to specialize, and once they have those credentials, they'll bolt for a new company. Leaving you short a worker

It's all management style and how the manager can fight for their team and program.

Quote

- The definition of a security role is very broad and there are many areas of security. A lot of people only focus on the very technical roles and have romanticized the idea of a career in cyber as a pen tester or red team. Because this field is so broad, candidates not even looking for a security role should consider the field and managers needs to look at non-typical background. Some of my best security people have never had a security job before working for us.

Most of us are more comfortable with technical roles. We don't have to deal with people and we are challenged mentally. But when you get to management, you get to the crux of the problem. Either those managers don't come from security or IT, or do. So they either have little knowledge in what people are doing, but good capabilities in office politics. Or are technically minded, but have no idea on how to fight for a budget or handle team issues. Personally, if you see someone that has some business talent outside of just the technology aspect, push them into some project management experience. Get a basic Project+ and have them start running any Scrum meetings. Listening to co-workers and working with them to get work unblocked. They don't have to do the full management, but they can tell their co-worker to talk with the manager to unblock something that's stopping their work if it comes to another team. It's "management lite". If they want to expand and do an MBA, GREAT! They're interested in being able to translate the security and technical aspects of the job into something that management and the C-Suite can understand.

In part this is off of my own experience. I've been a Scrum master since the end of last year, and instead of just half-assing stuff, I tend to read up on how to actually do something. So between "The Phoenix Project", "The Devops Handbook", "The Goal", "Scrum" (Sutherland's book), and a number of other sources, I've actually started to organize the Scrum program around these concepts and trying to rework it so that everyone has actually less to do regarding meetings, while being able to keep an eye on their work. Personally, instead of a Pew-Pew Map, there should be the Scrumban board visible for the team to keep an eye on.

I've actually gotten enough done regarding this that I've started submitting talks and trainings for various conferences next year regarding this. Btw, I'm also looking for a new/better job 😄 

[shan]

We've been hearing that there are a billion empty positions in security forever now. Does anybody work for a company that just has open infosec spots sitting there with no applicants?

I don't know how many people out there agree with my take on it, but security departments should be actively poaching IT people for their open roles. There are few infosec spots that don't translate as well to just straight up systems engineering talents. Do you know that one of your hot shot sysadmins doesn't have a lot of room to move up? Talk to them about whatever open infosec roles you have, they might be an amazing fit.

[RewildingEd]

2 hours ago, shan said:

I don't know how many people out there agree with my take on it, but security departments should be actively poaching IT people for their open roles.

I'm with you on that one, as someone that is trying to pivot...

My perspective, as a long-time veteran of IT (over 30 years), and currently in an IT Director position (I'd called it Scuffed Director because it's a very small firm, so I wear nearly all the hats when needed - probably more like IT Manager, as I don't share a seat at the big table very often).

I've tried to pivot to InfoSec for the last 3 years and can't get an interview.  I have a solid resume that will get me an interview for just about any system engineer/sysadmin/IT Manager job I've applied for.  Reasonably solid LinkedIn with some great recommendations.  I'm probably 300+ applications deep to SOC Analyst positions, because I would be willing to take a drop in pay to get my foot in the door - nothing..nada...zip.  The very few actual replies I get are essentially "looks great, thanks, but going with the more qualified candidate".  I take my own responsibility for some of this rejection/ghosting - I am very low on certs, especially in infosec, as I'd hoped 30+ years of actually doing tech, most of which had multiple security domains as part of my daily duties, and still does, would at least get me some consideration - hint, it doesn't!  I should probably also dumb things down a bit - IT Director to SOC Analyst is probably a bad look in the eyes of HR.  I presume I just don't make it through many of the screening filters.

All that to say, I also understand most of these unfilled jobs are NOT entry level.  But at over 50 years old, I've pretty much just given up trying to pivot, and just enjoy filling my brain with infosec, continuously learning new stuff, and living vicariously from InfoSec Twi...Mastodon.  

I have to burn all my end of year "use it or lose it" PTO, so I do plan on just buckling down and using the extra free time to add a few security certs to my resume, just to see if it pierces through the HR filter for a change.

[0xRokkr]

There is a push by NIST in the US to run cybersecurity apprenticeships. There are a bunch of programs (https://www.nist.gov/nice/apprenticeship-finder) that exist, though I'm not sure how many jobs get filled using this route. Personally I applied to all of them that had a remote option a few months ago and haven't had follow-up from any of them as of yet.

Edited November 19, 2022 by 0xRokkr
grammar

[Donquixote Doflamingo]

18 hours ago, 0xRokkr said:

There is a push by NIST in the US to run cybersecurity apprenticeships. There are a bunch of programs (https://www.nist.gov/nice/apprenticeship-finder) that exist, though I'm not sure how many jobs get filled using this route. Personally I applied to all of them that had a remote option a few months ago and haven't had follow-up from any of them as of yet.

i didn't know apprenticeship opportunities were even available.  I just applied to a few from that site that were in my area. Hopefully i can get a reply back.

 

[hyperreality]

On 11/18/2022 at 5:14 PM, RewildingEd said:

I'm with you on that one, as someone that is trying to pivot...

My perspective, as a long-time veteran of IT (over 30 years), and currently in an IT Director position (I'd called it Scuffed Director because it's a very small firm, so I wear nearly all the hats when needed - probably more like IT Manager, as I don't share a seat at the big table very often).

I've tried to pivot to InfoSec for the last 3 years and can't get an interview.  I have a solid resume that will get me an interview for just about any system engineer/sysadmin/IT Manager job I've applied for.  Reasonably solid LinkedIn with some great recommendations.  I'm probably 300+ applications deep to SOC Analyst positions, because I would be willing to take a drop in pay to get my foot in the door - nothing..nada...zip.  The very few actual replies I get are essentially "looks great, thanks, but going with the more qualified candidate".  I take my own responsibility for some of this rejection/ghosting - I am very low on certs, especially in infosec, as I'd hoped 30+ years of actually doing tech, most of which had multiple security domains as part of my daily duties, and still does, would at least get me some consideration - hint, it doesn't!  I should probably also dumb things down a bit - IT Director to SOC Analyst is probably a bad look in the eyes of HR.  I presume I just don't make it through many of the screening filters.

All that to say, I also understand most of these unfilled jobs are NOT entry level.  But at over 50 years old, I've pretty much just given up trying to pivot, and just enjoy filling my brain with infosec, continuously learning new stuff, and living vicariously from InfoSec Twi...Mastodon.  

I have to burn all my end of year "use it or lose it" PTO, so I do plan on just buckling down and using the extra free time to add a few security certs to my resume, just to see if it pierces through the HR filter for a change.

Thanks for sharing this experience. To what extent do you think this is ageism here, or do you think that companies believe you're overqualified?

[RewildingEd]

1 hour ago, hyperreality said:

To what extent do you think this is ageism here, or do you think that companies believe you're overqualified?

It's hard to say, but I'd guess a little of both.  I think it's a combo of lacking any security specific certifications to get past the initial HR filter, and my total years of experience/job title versus the jobs I'm applying for (i.e., what the heck is this guy trying to do).  Not sure the answer to the second dilemma.  I'm not comfortable lying about my experience/current position, nor would that do much good unless I changed LinkedIn to match - something my current employer would likely notice.  I'm hoping adding a few certs will help get that initial phone call to explain the rest.  I've also tried bypassing HR quite a few times by connecting with hiring managers directly through LinkedIn - that hasn't changed things at all.  

[v0ltage]

On 11/18/2022 at 5:14 PM, RewildingEd said:

I'm with you on that one, as someone that is trying to pivot...

My perspective, as a long-time veteran of IT (over 30 years), and currently in an IT Director position (I'd called it Scuffed Director because it's a very small firm, so I wear nearly all the hats when needed - probably more like IT Manager, as I don't share a seat at the big table very often).

I've tried to pivot to InfoSec for the last 3 years and can't get an interview.  I have a solid resume that will get me an interview for just about any system engineer/sysadmin/IT Manager job I've applied for.  Reasonably solid LinkedIn with some great recommendations.  I'm probably 300+ applications deep to SOC Analyst positions, because I would be willing to take a drop in pay to get my foot in the door - nothing..nada...zip.  The very few actual replies I get are essentially "looks great, thanks, but going with the more qualified candidate".  I take my own responsibility for some of this rejection/ghosting - I am very low on certs, especially in infosec, as I'd hoped 30+ years of actually doing tech, most of which had multiple security domains as part of my daily duties, and still does, would at least get me some consideration - hint, it doesn't!  I should probably also dumb things down a bit - IT Director to SOC Analyst is probably a bad look in the eyes of HR.  I presume I just don't make it through many of the screening filters.

All that to say, I also understand most of these unfilled jobs are NOT entry level.  But at over 50 years old, I've pretty much just given up trying to pivot, and just enjoy filling my brain with infosec, continuously learning new stuff, and living vicariously from InfoSec Twi...Mastodon.  

I have to burn all my end of year "use it or lose it" PTO, so I do plan on just buckling down and using the extra free time to add a few security certs to my resume, just to see if it pierces through the HR filter for a change.

Thanks for this.  Do you think companies are just going for a tickbox exercise on certs and discarding the experience?  I have found, some evidence, local to where I am that even recruiters won't touch you unless you have CISSP as a bare minimum.  What annoyed me the most, when I did my CISSP cert, one guy basically guessed the questions and passed.  He was only on the course because his company paid for it and wasn't fussed.  What was a 6 hour exam (ised 5 hours) took him considerably less.  Yet he now walks around with a "gold standard" cert and probably gets interviewed verbatim for having that cert.

[RewildingEd]

2 hours ago, v0ltage said:

Do you think companies are just going for a tickbox exercise on certs and discarding the experience?

I do think that might be the case, to some extent.  I mainly apply through LinkedIn or Indeed, and I have to wonder if I'm just not getting to the point of anyone looking at my experience when I can easily be discarded in the first round when hundreds of other applicants do have security certifications versus actual experience. 

[ZedSec]

For me in my experience, the companies that are willing to hire people without cybersecurity experience don’t tend to pay very well. I started as an apprentice doing infrastructure work, but I moved on because by the time it came to the end of two years I was doing the work of a Sysadmin but getting paid like a support apprentice (the same amount of money I got working in a grocery store). 

So I accept a role that I’m super grateful for and work there for another two years working as a security engineer. At that point the company is a high-stress environment and don’t pay very well. I moved and literally doubled my salary for a much lower stress environment and better experience.

So companies that hire these people for their first cyber job probably end up frustrated that their employees leave after 18 months and they have to start over again because they don’t pay enough.

[chiffa]

On 11/17/2022 at 5:44 PM, AdmFord said:

I'd say that a good equivalent is to treat security people similar to doctors.

Coming from a biomedical background, I have to disagree. For the better or (mostly for) worse, in medicine things change at the scale of a life time (cue the "science advances one funeral at a time"). Doctors get trained in mostly the most recent science (at least in reputable medical schools), then pick up practices in the ground from doctors 20, 30, 40 years their senior with a lot of them being based in anecdotes. 

As a researcher you are trying to push the field forwards, and your biggest allies are MDs trying to climb the ranks and get THE medical discovery that would make them visible enough to become a star hospitals and clinics fight over. Your biggest ennemies are MDs that successfully climbed the ranks and are now in top positions and don't want anyone casting shadow on research that made them famous 30-40 years ago. 

Specifically in my domain it was the whole concept of "cancer genes". Since mid-00's, as the date from sequencing studies started to pour in, it became clear that there is no such thing - genes can be cancerous or cancer-protective based on the context. Similarly, no canonical progression through gene alterations exist. However the people who came up with the idea in 80s are now the top dogs deciding hiring, promotions and funding, which means working on context-dependency of genes in cancer is pretty much a suicide career-wise and med students are still being taught the cancer promoter/cancer protective gene theory with ~ 300 genes names.

 

Hacking is by definition coming with ways to use things in a way they were never intended to and no one have ever thought of before. Things move at such a breakneck pace that 5 years is a lifetime and sometimes weeks can change a recommendation/action plan for certain settings.

Whereas medicine can afford to advance one bi-yearly peer-reviewed publication that took 3 years to write and publish, cyber-security advances one tweet/toot at a time, all typos included.

[chiffa]

On 11/18/2022 at 6:14 PM, RewildingEd said:

IT Director to SOC Analyst

One of the issues I've seen with over-qualified people coming from managing positions to junior-level hands-on positions is the fact that very fast they switch from doing actual work you hired them to running office politics behind your back. 

Can't guarantee that's what always happens, it did happen in every such situation I know of and a lot of people won't give someone in that position a shot unless they come with dead-serious recommendations from someone they trust. 

[MrAndrewD]

A couple of thoughts on this.

1. Infosec is a "hot market" but it's only been a feasible career path for a wider market for 10 or so years.  Senior positions are available now because there's (finally) a market for them, but people don't have the breadth and depth of career experiences to fill them, because the career path hasn't been available.

2. As someone who's worked as situation manager in "significant" incidents back to 2012, I'd say anyone who wants a predictable job which they can structure their life around should avoid infosec.  IT Operations is bad enough, but infosec is IT operations on steroids.  You can't predict activities half an hour in advance.  Daily priorities change quicker than just about any other part of a business.  Budgets are variable based on how recently the CEO/CIO have 1st & 2nd hand experience of incidents or regulators take aim at their industry.

Sure, lots of fulfilling jobs are demanding & difficult, but Infosec can become all consuming way too easily.  It takes special people to care and be passionate about Infosec, and the overlap with "have a life outside of work" is not huge.