Why Cybersecurity Unemployment Will Remain at Zero

Now that we have a confirmed zero-unemployment problem in Cybersecurity, even with the recent addition of some Equifax, Target and Home Depot professionals, it is time to revisit the mis-configured target for information security professionals.

We keep trying to hire resumes instead of people.

At last report, there are still roughly 1 million job openings in information security as of right now and the number is expected to reach 1.5 million by 2019. Also, according to employment researchers, by 2019 the demand for cybersecurity professionals will increase to approximately 6 million globally. Please don’t ask me for citations. If you want the data, just Google it.

If you look at the job postings, almost all of them call for certifications that are overkill for the actual work and academic degrees that are not even available in our universities and colleges. Why does this myopia still persist?

One of the industry’s old mavericks, John McAfee correctly points out that, “The field of cyber security is the least populated of any field of technology. There are two job openings for every qualified candidate.”

Robert Herjavec has a view of the market that is indicative of many in the space and I think it reflects a common and chronic mis-understanding of the actual problem and what needs to be done to address the issue. No disrespect to Robert.

Robert is the well-known founder and CEO at Herjavec Group , a global Managed Security Services Provider and a regular on the Shark-Tank Reality VC TV Show. Robert says, “Unfortunately the pipeline of security talent isn’t where it needs to be to help curb the cybercrime epidemic. Until we can rectify the quality of education and training that our new cyber experts receive, we will continue to be outpaced by the Black Hats.”

In my humble opinion, being outpaced by the Black Hats has nothing to do with the strength or quality of our Cybersecurity professionals. It is akin to suggesting that if the US Military were just better trained, we could defeat ISIS. We can look forward to being outpaced by the Black Hats for a long time to come regardless of whether we fill those 1.5 million jobs or not.

If I give you 10 billion security events to analyze every day, you will fail. And, the bad guys will keep on winning.

Even if you had that 1.5 million workforce in place, you would be hard-pressed to convince many of them to sit in a Security Operations Center (SOC) all day, monitoring sensors and looking for attacks in real time or poring through log files in search of signs of an adversarial presence in a network. Which by the way is what most of the work that Herjavec imagines these people doing will require.

In spite of the (entry-level) positions offering a median annual salary of approximately $90,000, and paying more than six-figures in New York, California, and Virginia, most folks will not want to do this work.

That’s why we have fast machines, big data algorithms, artificial intelligence and behavioral analytics. The work that is being done at MIT in their AI2 Project is indicative of the right direction. They have been able to replace security analysts with adaptive machine learning and AI to successfully predict 85% of cyberattacks in a controlled population and reduce false positives by a factor of 5. This is a great start and bodes well for some mitigation of the zero-employment problem.

In the meantime, today’s solution is not education and training. We need to adjust our target profiles to accommodate reality.

We need first to stop trying to hire Unicorns and creating these ridiculous job specs that specify a range of disparate skill sets that most security professionals don’t have. If we are doing this because we need three but only have budget for one, then we are dumber than I thought. The last time I looked, one person skilled in A can’t do the work of three people skilled in B, C and D.

The irony is that there are actually candidates emerging from colleges with Computer Science degrees who know a little about information security who can’t find jobs because they lack experience and at the same time we have hordes of experienced network engineers who would love to pivot to a career in information security but don’t possess the desired certifications and are told they are unqualified. 

There seems to be a huge disconnect between the reality on the ground and the job descriptions concocted in the HR suite. If I needed to hire a working cybersecurity analyst, I would much prefer a seasoned network engineer or a high school dropout with intense curiosity, tenacity and stubbornness over a CS graduate with some coursework in Cybersecurity or even with a CISSP or CEH certification.

The work is generally tedious and repetitive and rewards people who have an aptitude for pattern recognition, persistence, parallel thinking and detail. A good network engineer or a teenage hacker without a degree is a much better candidate than a guy who studied software engineering or IT project management in school.

There is major confusion among those in the hiring process as to which skill is actually required and which are nice to have. If we look at it through Herjavec’s lens, we are talking about troops who spend their days in the trenches trying to sort real threats from the millions of false positives being generated by our monitoring sensors. Much of the work is filling out spread sheets.

Recruiters and HR professionals would be far more effective if they simply cast their lines where the fish hang out than by creating lavish and complicated job postings on Monster and DICE.

There are at least 100,000 security specialists of varying ranks and interests who congregate several times a year at places like DEF CON and represent the very best of our hacker community. These guys or some of the guys they know present an actual target rich environment for recruiting. At least you’d never have to worry about skills.

What you would have to worry about is whether you’re company is cool enough, whether you have lots of layers of management and process that will envelope your new recruit, whether you can actually pay enough, and whether you can answer the question of why someone who can write their own check would ever decide to go to work for you.

Unless you are ready to let your new recruit loose on identifying the non-obvious correlations in your network landscape and beyond so that they can begin to address the actual vulnerabilities, you will be out of luck. If you didn’t understand the last sentence, you will be out of luck too.

Beyond the fatigue inducing syslog reviews, the artful component of the work is frequently overlooked and never mentioned in job requirements. The instinct that enables skilled hackers to detect anomalistic behavior within a sea of data is not taught in any school nor does ISACA have a certification for that ability.

Next time, skip the job boards and get down to the RSA Conference, DEF CON and Black Hat. And if you are actually successful in hiring some talent, let them do what they do best.

The post Why Cybersecurity Unemployment Will Remain at Zero appeared first on Netswitch Technology Management.

This is a Security Bloggers Network syndicated blog post. Read the original at: News and Views – Netswitch Technology Management 2017-11-20.