Got Work? Revisiting The Market For Security Professionals
As security professionals from across the globe gathered last month at RSA, some of the conversations inevitably turned towards jobs; and many organization's inability to find quality candidates. This has been an issue in the information security field for years, but has recently been vaulted back into the spotlight as President Obama very publicly revisited the issue of cybersecurity.
"If President Obama’s Executive Order to increase infrastructure for cybersecurity didn’t give enough indication, security is a top priority for 2013," Scott Skinger, CEO and Founder of IT training company TrainSignal told Security Bistro. "The Pentagon alone plans to add 4,000 jobs to defend against cybercrime, but they aren't alone. The private sector is taking similar precautions, especially in terms of mobile devices, to protect against malware, spam and unauthorized attempts to penetrate systems. Opportunities in security will continue to be in high demand as hackers adapt and find new avenues for attack."
Skinger echoed the sentiments of Mark Weatherford, former Deputy Under Secretary for Cybersecurity for the Department of Homeland Security, who gave a talk at RSA that lamented the lack of available security talent to combat these growing threats.
"There are not enough people available and not enough in the pipleline for both the government and private sector," said Weatherford. "This is critical to the economic viability of our nation and one of [our] biggest corporate issues. The pipleline is too small to meet the nation’s demands."
We touched on two recent surveys in a previous post that confirm a growing divide between the qualified and those that desperately need their services.
A recent survey by Burning Glass Technologies, a developer of intelligent job market technologies found, based on a five year study cyber security job listings, that demand for these positions is growing at a torrid pace, 3.5 times that of the traditional IT profession AND 12 times faster than the overall labor market, making it challenging for recruiters to fill the necessary slots.
When these results are added to the recent (ISC)² 2013 Global Information Security Workforce Study, the picture comes into focus. That report confirms this talent shortage and its impact on organizational readiness, finding that the "major shortage of skilled cyber security professionals is negatively impacting organizations and their customers, leading to more frequent and costly data breaches."
Jeff LoSapio, a partner at information security consulting firm Stratum Security, has been an employer in the infosec industry for well over a decade. He's hired more than 100 people in that time period and told Security Bistro that he has felt the impact of these hiring trends since 2004, when the federal government started increasing the demand for security professionals.
"For the past year we've had open positions for people experienced with software security code review. We cannot find these people, and when we do they are very expensive," said LoSapio. "Any decent developer can invest 6-8 months to get educated on application security and earn 40 to 60 percent more than they are currently making within 1-2 years."
LoSopio says the real issues reside in finding qualified technical applicants
"For entry level, employers need candidates that have core technical skills --- these would fall into either networking or application development depending on the type of security position. Application security is a very fast growing field and is one area where the lack of qualified candidates is really painful," he said. "It's near impossible to find entry level application security candidates, so most employers are looking for candidates with solid development backgrounds with exposure to multiple development languages."
Joshua Marsh, an Engineering Manager at Infrastructure Systems Integrator CompuNet, is currently looking for a Security Architect to join his growing team. Despite having a high-paying position in what is supposed to be an employers' market, he is having some serious difficulty.
"I've gotten limited response to my job posting," said Marsh. "I've started trying to connect with people on LinkedIn, to see if I can dig up an applicant."
His experience with LinkedIn clued him in to the difficulties of the marketplace. As an example, Marsh cited a recent response he received from an unnamed user. After Marsh replied that he was interested in the applicant's security skills. This was the candidate's response:
bet u are, 100% remote and lots of $, otherwise take your place in line, 300 or so.
Marsh wasn't interested, explaining that the "applicant's" rudimentary communication skills were an immediate turnoff. But the exchange does point to a theme that Marsh says is becoming more prevalent.
"The interesting thing is that this person is likely employed and believes that they can speak this way to potential employers. At the least, it is indicative that there are a lot of people trying to hunt down security experts," he added.
Domingo Guerra, co-founder and president of the mobile app security company Appthority, said he has no problems finding applicants. It's getting them interested that is often the real work.
"The San Francisco Bay Area is a characteristically competitive market to recruit for engineers, especially in the enterprise mobile, application and security industries. We’ve found that it’s important to get out there, attend local events and network with likeminded industry professionals," he said. "One tactic we’ve used to attract potential hires is to start hosting our own Meetup events at our offices. We’ve found this to be a successful approach. Our last happy hour event and lecture was very well-attended and we met with a number of prospective candidates."
Skills In Demand
So if an employer can locate a potential candidate, what attributes are most in demand?
LoSapio told Security Bistro that for network security, understanding the basics is key.
"[Candidates need a] fundamental understanding of how networking technology works, and how to utilize technology properly to secure networks," said LoSapio. "It seems simple, but there are lot of experienced networking candidates that don't understand security."
Skinger, who is a trainer and coach by trade, said that employers are looking for versatile hires who have multifaceted skills.
"[They're] seeking cross-functional professionals who are well versed in business infrastructure in addition to deploying firewalls, threat detection and encryption technology," he said. "Prospective cyber security job candidates can skill up with classes like: CompTIA Security+, Certified Ethical Hacker, and CISSP."
LoSopio maintains that the issue has its roots in our education system. From there, it becomes challenging to stem the tide.
"Any security knowledge is a huge benefit, but software engineering programs are still woefully behind the times and rarely address security in their curriculum," LoSopio told Security Bistro. "There are several schools changing this trend, but it's not happening fast enough. Hands-on technical experience is very valuable and entry-level candidates should get creative in seeking this out."
But as Undersecretary Weatherford said during his talk at RSA, it isn't always school that makes the security professional. Instead, time and experience are the main differentiators.
"And it isn’t always a college degree,” he said
Robert Fitzgerald, president of The Lorenzi Group, a technology consultancy, told Security Bistro that while experience is important, it is no substitute for a team-centric approach to recruitment. And sometimes that means going with youth, even though they lack the big time resume.
"The biggest security risk we have seen is in over-trusting the confidence of someone with years of experience and credentials. I am not knocking experience or credentials. We see a big push for people with 10, 15, 25 years of cyber security experience," he said. "This is not realistic, mostly because it was not a critical role 25 years ago. Relying one individual too much will jeopardize the security of the organization," he said.
The vital ingredient is a team-centric approach that can pull on the collective's skill set to engender a holistic, well-rounded approach to security.
"Building a team, even a young team of people that can work together, solve problems, and take risks will offer better security and peace of mind," he added.