Cybersecurity's hiring crisis: A troubling trajectory

Cybersecurity's hiring crisis: A troubling trajectory

Summary: There is a severe -- and worsening -- shortage of information security professionals. Leading industry experts believe it predicts a grave outcome.

Cybersecurity hiring crisis

There is a severe shortage of information security professionals, and leading industry experts say it's only getting worse.

Word among attendees at this month's Black Hat USA 2014 conference -- the largest security conference in North America -- was that there are more jobs in cybersecurity than people to fill them.

It's a business where having a pedigree can actually have you considered to be less qualified, and being unhirable by traditional standards is… almost desirable.

James Arlen, Leviathan Security Group’s Senior Security Consultant, was one of many walking around the conference asking "anyone and everyone" to throw resumes his way.

"I think I counted over 50 'We’re Hiring' or 'Talk to me about a job' signs," he said.

In conversations throughout the conference, the seasoned researcher discovered quite quickly that his wasn't the only company on an aggressive hunt for hackers to plug infosec's talent gaps.

He told ZDNet, "The most entertaining of these was the effort by Nike to attract talent at Black Hat."

"For every request I made to help fill empty slots on my team, I was asked if I was looking to make a move to a 'better' position," the consultant added.

Special Feature

Why business leaders must be security leaders

Why business leaders must be security leaders

Why do many boards leave IT security primarily to security technicians, and why can’t techies convince their boards to spend scarce cash on protecting stakeholder information? We offer guidance on how to close the IT security governance gap.

For a sector whose growth is incomprehensibly fast to outsiders, the escalating hiring crisis seems counterintuitive. But in this painful moment in infosec, calling it a crisis seems a gross underestimation of the problem.

In January, the 2014 Cisco Annual Security Report (CASR) projected a 500,000 to 1,000,000 person global shortage in the number of IT security professionals that public and private sector organizations will need to cope with the security challenges of the foreseeable future.

“Cisco’s number is the highest estimate of the security-skills problem,” explained eWeek in its June writeup on the worsening impact of the Internet of Things on infosec’s hiring crisis.

"James Gosler," eWeek continued, "a cyber-security specialist who worked at the Central Intelligence Agency, has argued that the United States needs some 30,000 technical cybersecurity workers, essentially hackers."

Meanwhile, the International Information Systems Security Certification Consortium has calculated that more than 300,000 cyber-security professionals are needed to maintain and manage business systems.

Arlen thinks a big part of the domestic problem are the bureaucratic roadblocks to hiring talent outside borders.

He said, "The need within the U.S. cannot be met by domestic talent."

Leviathan's security honcho attributes the widening gaps to a long overdue need for changes to foreign worker status, namely employment-based immigration visas.

The two lowest friction methods to get talent from outside the US – TN Status (NAFTA) and H1-B – are still significant barriers to acquiring talent either from Canada or the rest of the world.

And of course, there’s the curious conflation of citizenship with loyalty… many security positions require clearance of one type or another and therefore must be filled by US Citizens only – foreign nationals, even of allied countries (even Canada!) are not welcome.

Structural obstacles, such as visa requirements, are layering atop an underlying bottleneck: the limited supply of qualified talent in a young industry where the definition of "qualified" is about as clear as mud.

Hiring the unhirable

Solving this crisis turns out to be as complex as defining what constitutes a "qualified hacker" -- in a business where having a pedigree can actually have you considered to be less qualified, and being unhirable by traditional standards is… almost desirable.

Chris Hoff is the Vice President, Strategy and Technical Marketing Engineering – Security, Switching, and Solutions BU at Juniper Networks.

Hoff told ZDNet that vendors are experiencing difficulty finding suitable candidates "in a highly competitive job market that have the required experience in a number of emerging disciplines such as advanced malware detection/mitigation, reverse engineering, forensics, crypto, virtualization and cloud."

He continued saying,

This is largely in response to the emergence of new classes of threat actors, new technology, evolving and innovative threat vectors and the wave of breaches that show up in the media daily. This is in addition to the lack of formalized educational, mentorship and professional tradecraft training.

Further, “Security” is still a reasonably young “profession,” and many of the skills are learned on the job which often means it is hard to break into the industry with enough of a well-rounded background that allows one to take advantage of emerging career opportunities and not become overly-specialized.

Arlen thinks the most severe challenge relates to the education vs. experience conundrum endemic to the information security profession.

I have a personal preference to hire based on experience – and a sufficient number of others do as well – leaving the bulk of ‘available’ talent in the “book learning rather than practical” bucket.

Mr. Arlen adamantly believes that the industry needs to stop equating education with experience. "It is too hard for the average organization to hire actual qualified people – Degrees, Certifications and fudged resumes do not magically create qualified people."

Special Feature

IT Security in the Snowden Era

IT Security in the Snowden Era

The Edward Snowden revelations have rocked governments, global businesses, and the technology world. When we look back a decade from now, we expect this to be the biggest story of 2013. Here is our perspective on the still-unfolding implications along with IT security and risk management best practices.

"I appreciate that someone may have a Masters in Cybersecurity from a name brand university (like this, and many others) but that doesn’t necessarily mean they have the ability to apply anything they’ve learned in a practical fashion."

It's experience with attacks and perhaps even unsavory hacking hobbies that can make the difference between filling a job with a talented defender, or a salesman with a pedigree with no grasp of the devil-in-the-details meat of cybersecurity.

So it's no wonder that last weekend an interview with White House Cybersecurity Czar Michael Daniel hit a raw nerve across infosec communities far and wide when Daniel eschewed technical knowledge and experience "in the weeds" in favor of his expertise at translating issues to policymakers.

For some, it gave the impression that the White House isn't taking information security seriously enough -- at the worst possible time.

The result of all this, Mr. Hoff warns are, "increased risk, more incidents, decreased readiness, less resilience, demoralized and burned-out employees, an echo-chamber of talk with little action and a general inability to effect positive change on behalf of those we protect."

Photo credit: Image courtesy of Black Hat USA/UBM Tech, used with permission.

Next: Cybersecurity hiring crisis: Rockstars, anger and the billion dollar problem

Topics: Security, Tech Industry

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I Bet It's Disingenuous

    There isn't a shortage that can't be solved with money. It's not that firms can't get the skills they want, it's that they can't get them at the price they want to pay. Firms with a reputation that don't want to take a chance hiring crackers that have been caught have to pay more.

    Those are the skills these firms are seeking - crackers, not hackers. You can pick a lock. That's a different skill than getting in the door. The folks who can get in the door are hackers. The ones that can defeat the lock are crackers.

    I would bet that you (and I, and everyone else who reads your blog) know plenty of crackers, and hackers, who aren't rolling in dough. With Snowden's heist, if you don't look like a suit, you aren't going to get a look, which is too bad, because CSO's need both.
  • The need within the U.S. cannot be met by domestic talent

    There you have it gentlemen.
    What more evidence do we need?
    Judas, thank you for the victim.
    Stay a while and you'll see US IT bleed!
    • You really think foreigners can do the job?

      What a naive statement! There are more problems with the infosec industry than hiring bodies. The entire computing industry needs an overhaul. You need EVERYONE on board with security from the idiots who continue to write programs with unbounded buffer moves and who does not sanitize user input to the dumb ass architects that leaves user information in what is essentially their lobby without protection. You wouldn't leave your user information in a filing cabinet in your physical lobby, why are you doing it in your virtual lobby?

      Most foreign programmers/analysts are the worst. Not only is their education less than in other countries, but when it comes to having to think beyond what they learned in a book or what the vendor's glossies say, they cannot think beyond the document. Don't tell me that the product won't let me separate the user database from the webserver. Figure out a way to do it. There are people who can do it. It can be done.

      Yes, programming this way is harder. But so is designing a car that doesn't break apart or explode when it crashes. So is designing and building a building to prevent it from toppling over during an earthquake or hurricane.

      The entire industry needs a reboot. It's time they stopped creating the equivalent of side-saddle gas tanks (go look it up if you are too young to understand the reference) or building programs where one virtual earthquake leaks your data like a broken gas main!

      I am sure they can find bodies. The key is to find qualified bodies and shopping on the foreign market will get you just as unqualified bodies as you get in the United States. Time to make the bodies qualified or suffer the fate of the Corvair (you can look up that reference, too).
      • Plus they steal trade secrets and backdoor locations

        and take them back to China.

        China and India are our enemies. Why do we hire Chinese and Indian "engineers" for our security system?
    • No bleeding here

      The industry just needs a Pilate.
  • Fix the root causes, and you will need fewer cyber experts

    The problems that consume the most amount of talent are the kinds of problems that can be designed out. What do I mean? Simply that the magnitude of the cyber security problem is what it is because we use components that are flawed and the solutions we put them into are not well conceived...

    There is no excuse why we can't follow sound engineering principles and practices here.

    If we had not developed standards that measure how (for instance) toasters work, and if the wiring in your kitchen weren't up to national electric code standards -- well we would be pulling our hair out trying to figure out how to train more firemen...
    • Amen, Brother Vic!

      Finally, someone understands the problems!!
  • Use the financial industry model

    The cyber security industry should take a page out of the playbook of the financial industry. Pay skilled security professionals with the same kind of pay scale that the financial industry rewards trusted bankers and other financial wizards. Black hat hackers can make a lot of money working for the dark side and are seldom caught. By offering these highly skilled black hat hackers huge salaries, many of them will be enticed to become white hat hackers. Unfortunately, the cyber security industry has not figured that out yet. They still pay their honest security professionals a pittance compared to what they might be making working for the dark side.
  • "...the White House isn't taking information security seriously..."

    Not a day goes by without a headline shouting Cyber Armageddon! is about to strike. The fact of the matter is the laws are weak and the enforcement is pretty much nonexistent. The FBI is always "investigating" but there never seem to be any results. Of course it's hard to believe the folks in charge take it seriously.
  • Hire or LIE

    My issue with the article is, those of us who are security specialists and have TRIED to obtain positions at companies like the above, we're denied due to not having degrees or certifications. Take tests and its either you want to use us or you don't.

    Last time I checked, when I SQL injected a voting website to obtain registered voters and who they voted for, addresses, etc I didn't need a degree for that, did I? Mind you this was done with expressed permission and with full knowledge of the local county in conjunction with Counsel, so I wouldn't be in jail now as they knew what I was trying to do, otherwise I would be in big trouble lol.

    I'm not the type to go and try to prove I know every terminology or go to school for years and get crammed with nonsense when I have no issues as a developer, security analyst for closed and open networks in local businesses, as well as a wearable engineer.

    I quit school. I work crazy hours. I don't have an amazing education. I do however think out of the box and live for HELPING people and hence why I will even offer my services freely.

    But for these companies to say they can't find guys like us here in the USA? That would be his/her own fault for looking for a candidate that they'll never find and if they do, they're usually by the book where those of my species' take the book, keep in the back of our minds and make our own path to create bugs/tools that could be potentially hazardous but build to detect future issues that may come in that form.

    Got to build the next micro bug that is a FM transmitter w/elect MIC using a coin cell battery with conductive threading (on pat down wont feel it vs wires) so that when I have a client that needs to ensure nothing gets transmitted in a private meeting?

    Besides the metal blocking cell phone sleeves I designed- we can see as everything counts and can't be just cyber threats as physical onsite threats can be a major issue as well- hence a USB stick that can copy/wipe out a drive and perhaps any local attached drives which could contain data to login to ftp accounts, emails, etc.

    Cyber threats are also electronic threats. Your cleaning staff could have a new hire who grabs data from a PC. So it's much more than web based security these people need to hire. You need real engineers with feet in cyber.
  • What Cyber Security Shortage?

    For months now I have been reading about the Cyber Security Shortage. I see maybe 5 new Cyber Security jobs a week on the different job sites (Monster, Dice, Career Builder, etc...) I have been job hunting since April and have not had one Cyber Security job offer. I have over 20 years experience in IT security experience. I have taken many Cyber Security training courses and I hold a CISSP, C|EH, GSEC, Security+ plus many that are not in the Cyber Security field. So, I have to ask what Cyber Security Shortage?

    Some of the other people suggested we should bring in Cyber Security professionals from outside the United States. I disagree with this. Our country has a high unemployment rate and there are many hard working and intelligent people that given a chance can fill these positions. In addition to that DOD is getting ready to cut tens of thousands military personal who already have background investigations done and have security clearances. Instead of thanking them for their service and then telling them not to let the door hit them on the way out we should training them and giving them jobs.
    • Certification myths...

      Certification myth #1: Just because you passed a test doesn't mean you know anything about security. I passed the CISSP after two days of looking over practice questions and not being able to sit long enough because of a bad back. I took the stupid test because I was required to, otherwise I would put my 30 years of experience over anyone else's who has taken the test.

      Certification myth #2: Nothing beats experience. Stop thinking that since you passed the test and are pompously adding letters after your name that you are qualified to do the job. Go find something that is not a senior level-type position. Go get more experience then we can talk.

      Before you ask, I do NOT add "CISSP" after my name. In fact, I made my company replace new business cards because it was included against my wishes.

      Certification myth #3: Even if you pass the test the tests do not tell you what your strengths or weaknesses are. All it says is that you can study a concept and sit long enough to deal with the endurance issues of a test. Knowing what you do not know is more important since it will give you an opportunity to learn more about the issue. Otherwise, it gives you a false sense of yourself without context.

      There is no single right answer but the certifications ain't it!
      • totally agree

        The notion that certifications are the be all and end all is wrong.
        Certifications at best show a level of competency and understanding.

        If you have some badges and can't get a job in infosec - you probably have 1 of the following :-

        1) a terribly written CV (you're dropped before a hiring manager will even see it)
        2) are a lousy interview candidate (sometimes you just got to rock a suit and look presentable)
        3) Aren't prepared to move to where the work is. - the US is littered with 'cyber' job vacancies. Most consulting / security audit companies are struggling to hire enough staff
        4) Can't travel much for work. - Infosec roles in the above space typically require a lot of travel.
        5) expect the salary of a consultant for an in house role (with no travel etc).
  • The standard coporate scapegoat...

    Once again, The Great American Corporate Excuse is heard - "We just can't find qualified help in the U.S. so we will just have to apply that excess profit toward raises, bonuses, and stipend increases for the Chief Officers and BODs."
    99% of security breaches in the U.S. are not due to a lack of "rocket-science" skill, they are due to a lack of simple, commonsense practices that any level of IT staff could implement if their budgets' allowed for it. American corporate failures are always due to the same two things - executive greed and lack of managerial sincerity.
  • I just can't get interested

    I am an IT professional with over 26 years of experience. As a Systems Admin, I enjoy a challenge of researching and fixing issues. But for some reason, I could really give a crap about security. It bores me. Your job is never done, you can't trust anyone and second-guessing is a primary attribute. Sounds like channeled paranoia ...

    Yes, I know how important security is, and I do design my solutions to maximize it. But you won't catch me doing this full time.
    Roger Ramjet
    • Well, that's one down, and millions more to check with

      Just as some don't find interest in protecting our country via military service, there are others who swell with pride in performing that duty and see the importance in filling the role. Thank goodness for them. What we need are enthusiastic individuals who enjoy the IT security role, obviously. I find many are interested in the job and the role we play, but there is no easy way to develop talent. Sure, you can get a few that are so motivated and talented that they self-teach and become competent on their own, but in order to fill the numbers the US needs to fill, you have to mass produce the talent, and currently there is no good method for accomplishing that.
  • Certification Sucks

    Security training courses cost a fortune and are out of reach for most people. Plus, they are basically targeted to help one pass certification exams. I know. I have lots of them. Most people that go to the training go there to get the certification because it's the certification that gets you the job. That whole system sucks the big one. Take Cisco out to begin with. How about offering better computer security in vocational schools and to high school age kids. Start them early. Make it a skilled labor type of job. Computer security is not brain surgery. It's experience that counts the most but you have to know the basics first. I'll give a job to someone with a 4 year degree in Computer Security way before I'll give it to someone with Cisco certification.
    • Geat point

      I agree. I wish I had it as a trade first. I would then be able to assess whether I wanted to pursue any certifications which are way too expensive.
  • Off the wall

    This may just be confirmation that I am clueless about the intricacies of operating systems and their vulnerabilities, but :
    ) Can data space and program space be isolated from eachother. Many intrusions come from data masking malware, code hidden in a picture goes back a long way. Embedded code in web pages etc is necessary, so can these 'programs' be restricted in what they can actually do ?
    2) Can vulnerable hardware (BIOS, HDD), not be guarded against anything other than local-terminal input, at least until local approval has taken place ?
    The phrase long ago, from a C programming book ... "he who experiments, learns much but reboots often", so prevent remote users from causing any such actions.
  • college student

    Why not look to the colleges? Im a bsit network security student that cant even get into the IT field because of lack of a degree, a certification and any experience. Why not take these students under your wing and train them while in school?