Security people sure have it good. The United States Bureau of Labor Statistics tells us that in 2012, self-described information security professionals experienced 0.9% unemployment – a sliver of the roughly 8% national average. The Bureau projects 22% job growth in InfoSec by 2020. Granted, even the BLS admits their numbers aren’t to be taken as gospel, but that’s only because they couldn’t find enough security professionals for a representative sample size. The Pentagon alone plans to add about 4,000 employees to the Defense Department’s Cyber Command. For organizations in the private sector, recruitment of security talent has become such a priority it’s a full-time job. I should know. With this kind of demand for their skills, you’d think security professionals could simply waltz into any company they like, find perfect jobs ideally matching their backgrounds, and write their own checks.
However, a serious disconnect exists between the desperate need for security talent and the hiring behaviors of many organizations. Human resources departments still release job descriptions with little or no information about the actual day-to-day work to be performed. The titles aren’t much better, when a “security analyst” can be anything from a DLP implementation engineer to an application penetration tester. Understaffed and over-utilized hiring managers don’t have time to conduct searches themselves, but routinely express dissatisfaction with the quality of candidate their corporate recruiters find. And it figures: HR isn’t incented to know about ethical hacking, risk assessments or malware reversing, or how to tell the difference between a keyword-rich résumé and the best technical and cultural fit for their security organization.
This disconnect creates fear, uncertainty and doubt, or FUD, on the part of both talent-hungry organizations and those elite individuals who command the best information security jobs. Companies know they must attract security experts; candidates know their skills are in high demand. And yet InfoSec hiring has become a problem of distribution, like world oil supply or food to the needy: the resources are there, but because of FUD, they’re not being intelligently routed to the places they’re needed. Companies fear the risk they assume in remaining short of security staff (and they should), but they’re uncertain about how to better attract talent and doubt they’ll be able to do so. Candidates fear (and loathe) calls from recruiters who don’t understand what they do; vague, incomprehensible and sometimes impossible job postings make them uncertain as to whether to pursue new opportunities, so when they find a role where they’re relatively happy, they doubt they’ll want to leave anytime soon. The process stagnates and the demand isn’t supplied.
Don’t succumb to FUD in your job search or hiring process. If you’re a candidate for a new role, work with recruiters and hiring managers at organizations that duly value candidate experience and finding the ideal match for the job – not just anyone with the right acronym on her résumé. If you’re looking to hire security talent, prioritize best practices in InfoSec hiring. Certainly be aware that you have to move fast, that you’re competing with literally every major organization for talent, and that you cannot afford to treat security talent as a “nice to have” competency in your company. Then realize that streamlining and clarifying your recruitment process will only help you in reducing time-to-hire for the security experts you need. Take a deep breath, smile, and cut the FUD.
9 Comments
if the IT Security professionals have it so good, why are their so many vacancies for position. So we have:
1. No CISSP – no job
2. No Active security clearance – No job
3. if unemployed then no job as the individual fails to be item 1 and 2 above.
4. if selected then the individual pays their own relocation to another state, then waits from 3 weeks to 2 months for paycheck – no job cant afford to pay out of pocket expense.
5. overqualified.
6. jobs canceled.
7. No unemployment as the previous employer did not pay to the unemployment office due to a 1099 scenario.
yes, it security professionals have it easy.
Robert – thank you for your comments. Incidentally, none of the 20+ security positions I have open at the moment requires a CISSP or a clearance. Many job descriptions stating that they require certain certifications are not necessarily ironclad.
The other challenges you mention are very real, but not, in my view, particular to information security practitioners. Rather, they’re symptoms of a still-recovering economy. Still, my statement that “security people sure have it good” is partially tongue-in-cheek.
Robert,
1. BS. I know quite a few people in the field without a CISSP.
2. More BS. Many jobs in IT Security do not require a government security clearance.
3. See above. Yes if one is unemployed it can be a bit harder to get hired but it’s hardly impossible if you perform your job search properly.
4. I’ve heard of one or two cases of this but usually that’s just plain untrue. One can usually come to an agreement on relocation assistance.
5. That can apply to any field.
6. Again, that happens in just about every field sometimes. It’s even happened to me. It’s hardly the norm though.
7. If you take contract work rather than get hired on full time why would you expect anything else?
Additionally, nothing in the article said anything about ‘having it easy’. It just states the rapidly growing need and some of the problems with how jobs are categorized. You have a very negative attitude. That in and of itself makes it hard to find work.
Actually, in retrospect, we in security DO have it a bit easier than many professions right now. At the firm I work for we like to joke that IT Security is the most ‘secure’ job in IT, if you’re good at it 🙂
Job security in infosec is a ticklish subject. Too many organizations are currently willing to deprioritize security projects and programs, because they’re viewed as insurance – “we’ll eat the risk in order to stay operational.” This is understandable but foolish, as any attacker knows to prey on the weak. A lot of the “so many vacancies” Robert mentions do quickly dematerialize because of this phenomenon.
In the spirit of shameless self-promotion, I encourage any and all with interest in information security employment to attend my upcoming talks at BSides Detroit (http://www.securitybsides.com/w/page/61144863/BSidesDetroit13) and BSides Pittsburgh (http://www.securitybsides.com/w/page/63601304/BSidesPittsburgh2013), in which I will discuss nuts-and-bolts problems and solutions in infosec careers. I pay particular attention to the problem of obfuscatory job descriptions and recruiter FUD.
The toughest thing I have found is actually getting someone to look at my qualifications and actually understand what they are, what went into getting them and eBay they encompass. I have to agree a little with the original commenter on the CISSP aspect. It seems that many recruiters won’t even look at you without it.
Me, I don’t want to be a manager in InfoSec, I want to be getting my hands on the action. Problem there is that I often find myself having to do other tasks and use the skills I have developed for roles outside of security or incident response.
While Eve may not be looking exclusively for CISSP, there are too many colonies that hire an infoSec manager and think they’re done.
It’s interesting to know that there is space for people with knowledge and experience in security. Do you think in the future or right now would be space for foreigners? My case, I live in Mexico City but I would like to find a job in The US in the future. Here are very qualified people working in security.
Eve: You didn’t highlight one important aspect, when the HR doesn’t have a clue regarding the technical aspects of the job, they simply decide to check the boxes on the acronyms/keywords on the resume.
Never mind that most acronyms are based on power of memorization and not actual knowledge. Keywords are added by candidates to polish the resume, though they might not have a clue regarding what those tasks entail.
This cycle of improper R&R definition and lack of matching of skillsets results in a cycle of hiring, dissatisfaction and loss for the company in tangible terms – time lost, recruiting costs, severance, rehire – all of which can be avoided by companies who get it right the first time.
Aj – thanks. I highlight, and actually belabor, those points in my above-linked talks. While I am in favor of redundancy for failover purposes, I try to avoid it in my public postings.