This is a quote from a Washington Post article dated August 2nd, 2021 on the subject of unfilled cybersecurity roles in the United States.Cybersecurity is an immensely expansive field. From Application security to Network security to Network monitoring to Client/end-user security to Pentesting and malware development to social engineering to wireless attacks to physical security to compliance /legal frameworks, there are hundreds upon hundreds of tools and applications available for the plethora of different Infosec/Cybersecurity roles existing, many open source, and many with a hefty price tag. It takes lots of time to master any single one and can often be difficult to try to predict what any particular prospective company might want you to know, but as students in the realm of cybersecurity, we learn to delve into nearly everything we can, while obviously focusing in on tools we know to be popular (NMAP, BURP, OWASP ZAP, Nessus, Wireshark, John the Ripper, Metasploit, Cain and Abel, and Nikto are just a few that come to mind). But where does that leave us in the end as it relates to bringing on fresh talent in cybersecurity departments? If you ask most directors or CEOs or hiring managers, you’re likely to hear the same tired, perpetuated myth of the “drought of candidates in cybersecurity”. This claim could not be any further from the truth and it’s time we started facing the reality of the situation. The “drought” that is often referred to has been imagined. Fabricated, if you will, by companies who will not entertain the idea of hiring absolutely any cybersecurity candidates who have anything less than mid to senior-level corporate cybersecurity work experience. Herein lies the problem.
It stands to reason that companies would want absolute cream-of-the-crop experts handling something as important as their digital security. But where then do we draw the line between hiring experienced candidates and acting as old guard gatekeepers that keep out those who have worked tirelessly through the years to build a foundation in IT and Cybersecurity that just haven’t yet been graced with the opportunity to work an outright Cybersecurity role? As all things do, it comes down to the bottom line, money. Who wants to train a competent candidate with a solid foundation when they can just hire someone who has been in a Senior-level security engineer role for the past 5-10 years? Well, they can certainly find these candidates if they look hard enough but enticing them to apply and keeping them on is a different story entirely. Candidates such as these have any option in the world as far as employment opportunities, and rightly so. They’ve earned it. Top-tier pentesters, for instance, have their pick of the litter among fortune 500 companies with six figure offers. But how many of these candidates exist in the United States? I’ll give you a hint: Not 465,000 of them.
So what’s the solution? It’s time to face the facts. Cybersecurity roles that are lower-tier than Senior need to be embraced and introduced as a standard at more companies alongside the Senior-level roles which already exist. While nobody expects any company to put a candidate through a bachelors or masters degree's-worth of training, a lot more needs to be done on the part of employers to grow their cybersecurity departments organically. Perhaps not from an absolute beginner standpoint, but certainly from an upper-entry-level to intermediate one. Junior SOC Analyst and Jr Incident Response Analyst roles need to be introduced for candidates who are fit to fill those roles, with Senior-level engineers offering even just a few short weeks worth of training to overlay the Junior's already existing knowledge and perhaps help in filling in some gaps along the way. Some companies already have scenarios like this in place, but if we are to understand that 465,000 desks are sitting empty, then it’s time to face reality instead of continuing to perpetuate this long-told myth of the “Cybersecurity candidate drought”.
Naomi Buckwalter, a seasoned Cybersecurity professional, has actually started a foundation called Gate Breakers dedicated to addressing this topic as well. You can see a great, albeit heated, interview with Naomi here:
https://www.youtube.com/watch?v=pAvfW0_FvqI
For more information on Naomi's foundation itself, please visit:
https://www.cybersecuritygatebreakers.org/
No comments:
Post a Comment