Blog entry by Les Bell

Les Bell
Secrity News: 2023-10-23
by Les Bell - Monday, 23 October 2023, 9:04 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Cybersecurity 'Skills Shortage' a Mirage?

For some years now we have been hearing about a cybersecurity skills shortage, and massive shortfalls in the number of security professionals available to fill the growing number of jobs. YouTube is full of channels offering advice to those entering the field via bootcamp courses, and ISC2 (which has rebranded itself, concluding that (ISC)² is incomprehensible) claims to be well on the way to putting one million candidates through its free online training and certificate, 'Certified in Cybersecurity'.

This has never jelled with my experience as a university lecturer teaching third-year students ('seniors' to those in the US) and Masters students. While more than a few of my students were already in the workforce (it's a joy teaching those who already have some experience) and others had jobs lined up, sometimes via graduate recruitment programs in tech and finance companies, others were struggling, even after graduation. Many of those who graduated with a good Bachelors degree in Computer Science, IT or Cybersecurity often quickly moved on to Masters programs in search of even deeper knowledge.

Now long-term security pro Ben Rothke has blogged on the issue, pointing out that figures such as the claim by Cybersecurity Ventures that there will be 3.5 million unfilled cybersecurity jobs in 2025, a backlog that has continued from 2022, are highly exaggerated. This reflects a number of problems, predominantly in the recruitment process - starting with companies who post job listings with significant security requirements while only offering entry-level salaries.

At this point, there does not seem to be a shortage in the higher-level positions occupied by generalists, middle managers and CISO's. Rather, the shortage is of people with deeper technical knowledge, Quoting top recruitment professional Lee Kushner, Rothke writes:

"What there is a shortage of are computer scientists, developers, engineers, and information security professionals who can code, understand technical security architecture, product security and application security specialists, analysts with threat hunting and incident response skills. And this is nothing that can be fixed by a newbie taking a six-month information security boot camp."

I would have to agree. Gaining deep experience in these fields can take years; gaining experience across several, decades. And while many recruiters simply look for a high-level certification such as CISSP, that certification really only reflects a shallow understanding across multiple domains of security, and not a deep understanding of any one of them, with a requirement for only five years experience in total across all - not much for those moving into the senior and management positions the certification is really intended for.

I have long worried that our 5-day CISSP prep course contains just too much technical information, perhaps diving deeper into some areas than the exam really requires. But increasingly I am glad that it is backed by an 800-page wiki of course notes and other references that do allow our students to gain a more thorough understanding of these areas than just recognising a few buzzwords.

Furthermore, there are very few entry-level jobs in security - at least, that are suitable for entry-level skills. An application security specialist, for example, needs to have a few years of experience in application development in order to have seen - and made - the kinds of mistakes that a security specialist should be hunting for, not to mention an understanding of the development evironment and tools. The idea that a six-month boot camp - or a free online course - can lead to a six-figure salaried job defending a megacorp against thousands of wily hackers is, well, naive.

For most employers, the best way to meet their own demand for security professionals is to recruit from within, cross-training and offering administrators and developers a path into a security stream, and taking advantage of their existing experience. In a sense, this mirrors the experience of the multi-decade security professionals I know, who all ended up in security after many years in other IT fields, which they capitalized upon as the basis of a thorough knowledge of how security really works.

External recruitment will still be necessary, however, and it is time for a shakeout of both recruitment practices and recruitment professionals - the latter, especially need to be able to differentiate the various subfields of infosec and the depth of technical roles in each. Hmmm. Perhaps we should offer a short course for recruitment firms?

Rothke, Ben, Is there really an information security jobs crisis?, blog post, 12 September 2023. Available online at https://brothke.medium.com/is-there-really-an-information-security-jobs-crisis-a492665f6823.

Upcoming Courses

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags:
Permalink