Some analysis also finds the situation has been exacerbated by the Great Resignation. The InfoSec IT and Security Pipeline survey reports filling open positions became more difficult at the start of 2022. And with a majority (51%) of cyber security professionals reporting stress and burnout as a result of higher workloads during the pandemic, that has likely prompted many to seek other fields.
But a number of Twitter threads and opinion pieces lately have caught my eye as they aim to deconstruct the factors that allow the skills gap issue in security to persist.
Failing to build the pipeline
âWe talk about skills shortages everywhere in cyber security - but almost 99% of the job postings I see are for already experienced individuals. We have a skills shortage because we are not hiring new security folks into this industry,â tweeted security veteran and TrustedSec founder Dave Kennedy (@HackingDave)
Jennifer Cathcart,cloud security practice lead at Kudelski Security (jenncathcart), suggested an emphasis on on-the-job training was the answer.
âI see a lot of companies with a lot of blinky boxes, that they are only using 30% of the capabilities for, and these products are expected to run themselves. Instead of buying more stuff, hire some junior people to learn these products more deeply, and build your bench,â she said.
Ben Rothke, senior information security manager with Tapad, recently opined that many security jobs go unfilled not because there is no one to fill them, but because the firms looking to fill a role refuse to provide a salary commensurate with the position.
He authored a blog that provided a list of recent job openings in security in which, he says, salaries do not match market realities.
âUnfortunately, many firms have their head in the sand and refuse to invest in information security by hiring qualified professionals,â he wrote.
Gatekeeping creates a false sense of scarcity
Others argue it is an unrealistic expectation of the type of background a person should have when trying to land a job. And that information security can, at times, still struggle with gender equity issues in hiring.
âANOTHER MALE CISO on LinkedIn just posted #Cyber isn't an entry level job and you MUST come from IT. A panelist from last night literally was a teacher of Spanish and just started as a SOC analyst earlier this yr. Stop gatekeeping. Cyber can be for ANYONE. Especially women,â noted a security professional who tweets under the handle (@ElsecallerLiz)
In response, Marian Merritt (@marianmerritt), Deputy Director at National Initiative for Cybersecurity Education (NICE) agreed.
âGate keeping is keeping good people out and must end,â she tweeted. âA new ISC2 study shows that training costs are low ($1k) to get someone up to speed for the job.â
Indeed, the new research from ISC2, the 2022 Cybersecurity Hiring Managers Guide, finds the cost of talent development is relatively low, ranging from U.S. $500 to $5,000. The study also says it doesnât take long for entry- and junior-level practitioners to be âup to speed.â The study, which looked at the hiring practices of 1,250 hiring managers at organizations across the U.S., Canada, United Kingdom and India, finds 37% of hiring managers say entry- and junior-level hires are ready to handle assignments independently within six months or less on the job.
ISC2 itself says the findings point to a solution to the skills gap through hiring practices - by building a recruitment process that onboards and develops junior-level employees roles.
Others say itâs a high bar to expect hiring managers to hire inexperienced workers for security roles, even those with a higher ed degree in security.
âInfosec Twitter wants to hate on infosec degrees,â tweeted Jonathan Gonzales (agodslittlemacro), a Falcon Complete Analyst with Crowdstrike. âI have one and I agree it has a major skills gap. But at the same time, what is management doing to curb that? You want a hiring pipeline out of a school but will toss 98% of the resumes away from them not being sufficient.â |
